Get your Wi-Fi network ready for Windows 8

Microsoft will launch Windows 8 in late October. Along with a slew of other features, it will be among the first to support the 802.11w standard to protect Management Frames for client devices on Wi-Fi networks.

Customers running old Cisco unified releases (between 4.2 to 7.2) in local, Flex or mesh mode will run into an interoperability bug (CSCua29504, to be exact) that prevents 802.11w enabled clients from connecting to a Cisco WLAN with Management Frame Protection (MFP) enabled. This bug does not affect customers running autonomous access point deployments or customers running Cisco unified releases older than 4.2.

What are the possible solutions for you?

1. Please upgrade your production environment to one of the following releases, which will interoperate with Windows 8.

7.3.101.0

7.2.111.3

7.0.235.3

2. Roll back to pre-windows 8 drivers as identified in the Microsoft Knowledge Base article.
3. Fall back to TKIP
4. Sign up for a beta release for Cisco’s upcoming feature release 7.4 (beta available now!) that supports the 802.11w feature in local mode.

What is 802.11w ?

802.11w is an IEEE standard based on Cisco’s Management Frame Protection(MFP), a feature that was first supported on autonomous access points in release 12.3(8)JA in 2006 and in the unified release 4.0.155.5 in 2008. 802.11w isn’t a new standard. IEEE ratified the 802.11w standard in 2009, however the adoption has been slow to date, but that is expected to change with Windows 8.

The WFA has announced that it will position the Protected Management Frame interoperability certification program as a feature update to its Wi-Fi Protected Access(WPA2) program.

Why do I care about 802.11w ?

I joined Cisco Wireless Networking Business Unit (WNBU) early 2006 as a Product Manager for Autonomous Access Points and the first software release that I managed was the 12.3(8)JA. One of the coolest features in that release was a Cisco innovation around protecting management frames. As many of you may know, 802.11 frames such as Authenticate, De-authenticate, Associate, Dis-associate are sent in the clear (a.k.a. in an unsecured manner). This could allow a potential attacker to spoof management frames from a valid device and run Denial of Service (DOS) attack by sending de-authenticate/disassociate frames.

When MFP is enabled, the sending device adds a cryptographic hash to create a message integrity check (MIC) and embeds that within the Information Element (IE) of every management frame. Thus when another device in the network receives the frame, it is able to verify that the authenticity of the source. In case a single invalid frame is received on the network, it will be dropped, as well as, an Intrusion Detection System alert will be received - this means zero day protection!

What about clients that don’t support 802.11w ?

There are two components to Management Frame Protection:

– Infrastructure MFP: When the wireless Controller and Access point infrastructure support the 802.11w capability, any frames from a hacker masquerading as an infrastructure AP and attempting to communicate with other APs will be dropped.

– Client MFP: When a client ALSO supports this feature; it is able to secure communications with the infrastructure. This means any frames from a hacker masquerading as an infrastructure AP and sending disconnect messages to the clients will be dropped.

So what’s the bottom-line?

To enable that your network is ready for 802.11w and Windows 8 ensure that you are running the latest Cisco Unified releases in your wireless controller network.

Hi Steven,
If you have a Windows 8 client driver configured with WPA2 and any Cisco lightweight release other than these three you will not be able to connect.
Windows 8 does not support MFP(it supports 11w only) and so the question of whether client MFP is turned on or off is not applicable.
Best Regards,
Jeevan

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.